-
-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: fix npm audit woes #438
Conversation
Can you confirm whether its similar to this one or not ? |
@anikethsaha Not exactly. The main upgrade here is
I reworked this PR to only relax the audit step a little. All of the vulnerabilities we're seeing now are low-level, and via the Jest dependency. |
* only check production dependencies * don't have low-level vulnerabilities break the build * output parseable format to avoid huge ANSI art log
Should be fixed now... Turns out |
@@ -21,7 +21,7 @@ | |||
"prebuild": "npm run clean", | |||
"build": "cross-env NODE_ENV=production babel src -d dist --copy-files", | |||
"commitlint": "commitlint --from=master", | |||
"security": "npm audit", | |||
"security": "npm audit --audit-level=moderate --parseable --production", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove all flags
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain? That'll make this patch a full no-op and audit will be broken still.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Acorn release new version with fixed, we don't need it anymore, just update lock file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That wouldn't seem to help due to how things are pinned in Jest's JSDOM:
$ rm package-lock.json
$ npm i
added 10 packages from 84 contributors, removed 619 packages, updated 55 packages and audited 894519 packages in 18.582s
found 7 moderate severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
$ npm audit; npm audit --parseable
=== npm audit security report ===
# Run npm install --save-dev jest@25.1.0 to resolve 7 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
[... snip ...]
found 7 moderate severity vulnerabilities in 894519 scanned packages
7 vulnerabilities require semver-major dependency updates.
install acorn moderate npm install --save-dev jest@25.1.0 Regular Expression Denial of Service https://npmjs.com/advisories/1488 jest>jest-cli>@jest/core>@jest/reporters>jest-runtime>jest-config>jest-environment-jsdom>jsdom>acorn Y
install acorn moderate npm install --save-dev jest@25.1.0 Regular Expression Denial of Service https://npmjs.com/advisories/1488 jest>jest-cli>@jest/core>jest-runner>jest-jasmine2>jest-runtime>jest-config>jest-environment-jsdom>jsdom>acorn Y
install acorn moderate npm install --save-dev jest@25.1.0 Regular Expression Denial of Service https://npmjs.com/advisories/1488 jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>acorn Y
install acorn moderate npm install --save-dev jest@25.1.0 Regular Expression Denial of Service https://npmjs.com/advisories/1488 jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>acorn Y
install acorn moderate npm install --save-dev jest@25.1.0 Regular Expression Denial of Service https://npmjs.com/advisories/1488 jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>acorn Y
install acorn moderate npm install --save-dev jest@25.1.0 Regular Expression Denial of Service https://npmjs.com/advisories/1488 jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>acorn Y
install acorn moderate npm install --save-dev jest@25.1.0 Regular Expression Denial of Service https://npmjs.com/advisories/1488 jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>acorn Y
$
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So @evilebottnawi, what should we do?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore it, we can't do something here
Done in master, thanks for the PR |
This PR contains a:
Motivation / Use-Case
Azure Pipelines' audit step has been broken for a while.
This PR relaxes the
security
step:Breaking Changes
None.
Additional Info